Package io.vertx.ext.web.handler

Interface CSRFHandler

  • All Superinterfaces:
    Handler<RoutingContext>, InputTrustHandler
    public interface CSRFHandler
extends InputTrustHandler
    This handler adds a CSRF token to requests which mutate state. In order change the state a (XSRF-TOKEN) cookie is set with a unique token, that is expected to be sent back in a (X-XSRF-TOKEN) header. The behavior is to check the request body header and cookie for validity. This Handler requires session support, thus should be added somewhere below Session and Body handlers.
    Author:
    Paulo Lopes

    • Method Detail

      • create

        static CSRFHandler create​(Vertx vertx,
                          String secret)
        Instantiate a new CSRFHandlerImpl with a secret 

         CSRFHandler.create("s3cr37")
        Parameters:
        secret - server secret to sign the token.

      • setOrigin

        CSRFHandler setOrigin​(String origin)
        Set the origin for this server. When this value is set, extra validation will occur. The request must match the origin server, port and protocol.
        Parameters:
        origin - the origin for this server e.g.: https://www.foo.com.
        Returns:
        fluent

      • setCookieName

        CSRFHandler setCookieName​(String name)
        Set the cookie name. By default XSRF-TOKEN is used as it is the expected name by AngularJS however other frameworks might use other names.
        Parameters:
        name - a new name for the cookie.
        Returns:
        fluent

      • setCookiePath

        CSRFHandler setCookiePath​(String path)
        Set the cookie path. By default / is used.
        Parameters:
        path - a new path for the cookie.
        Returns:
        fluent

      • setCookieSecure

        CSRFHandler setCookieSecure​(boolean secure)
        Sets the cookie secure flag. When set this flag instructs browsers to only send the cookie over HTTPS.
        Parameters:
        secure - true to set the secure flag on the cookie
        Returns:
        a reference to this, so the API can be used fluently

      • setHeaderName

        CSRFHandler setHeaderName​(String name)
        Set the header name. By default X-XSRF-TOKEN is used as it is the expected name by AngularJS however other frameworks might use other names.
        Parameters:
        name - a new name for the header.
        Returns:
        fluent

      • setNagHttps

        CSRFHandler setNagHttps​(boolean nag)
        Should the handler give warning messages if this handler is used in other than https protocols?
        Parameters:
        nag - true to nag
        Returns:
        fluent

      • setTimeout

        CSRFHandler setTimeout​(long timeout)
        Set the timeout for tokens generated by the handler, by default it uses the default from the session handler.
        Parameters:
        timeout - token timeout
        Returns:
        fluent